Hi. I have been trying to figure out the Security>Authentication script configuration to authenticate against AD. I was able to login with AD users with the Ironman documentation. However, I kind of got lost after. Would anybody have an example script that can do the following:
Auth User against AD “Forms Auth”
Assign Admin role based on X AD group(PSUAdmins) membership.
Assign Operator role based on X AD group(PSUOperators) membership.
Assing Reader role based on X AD group (PSUReaders) membership.
$Result = [Security.AuthenticationResult]::new()
if ($Credential.UserName -eq 'Admin' -and $Credential.GetNetworkCredential().password -eq "PASSWORD")
{
#Maintain the out of box admin user
$Result.UserName = 'Default Admin'
$Result.Success = $true
}
else
{
# Get current domain using logged-on user's credentials - this validates their credential
$CurrentDomain = "LDAP://DC=domain,DC=local" # Insert Your Domain Here
$domain = New-Object System.DirectoryServices.DirectoryEntry($CurrentDomain,($Credential.UserName),$Credential.GetNetworkCredential().password)
if ($domain.name -eq $null)
{
#"Authentication failed for $($Credential.UserName)!"
write-host "Authentication failed - please verify your username and password."
$Result.UserName = ($Credential.UserName)
$Result.Success = $false
}
else
{
write-host "Successfully authenticated with domain $($domain.name)"
#"Authentication success for $($Credential.UserName)!"
$groupMember = Get-ADGroupMember -Identity PU-access -Recursive | select-object -ExpandProperty samaccountname
if ($groupMember -contains $credential.UserName){
$Result.UserName = ($Credential.UserName)
$Result.Success = $true
}
else {
$Result.UserName = ($Credential.UserName)
$Result.Success = $false
}
}
}
Users must be in the PU-access group (or a group nested inside of that group) in order to log in.
Here is a sample of three roles I have set up in roles.ps1
New-PSURole -Name "Administrator" -Description "Administrators can manage settings of UA, create and edit any entity within UA and view all the entities within UA." -Policy {
param(
$User
)
#
# Policies should return $true or $false to determine whether the user has the particular
# claim that require them for that role.
#
$groupMember = Get-ADGroupMember PU-Admin | Select-Object -ExpandProperty samaccountname
if ($groupmember -contains $User.identity.name.replace("domain\", "")) {
$true
}
elseif( $user.identity.name -eq "Default Admin"){
$true
}
else{
$false
}
}
New-PSURole -Name "Helpdesk" -Description "Helpdesk" -Policy {
param(
$User
)
$groupMember = Get-ADGroupMember PU-helpdesk | Select-Object -ExpandProperty samaccountname
if ($groupmember -contains $User.identity.name.replace("domain\", "")) {
$true
}
else{
$false
}
}
New-PSURole -Name "User Creation" -Description "Allows access to the User Creation dashboard" -Policy {
param(
$User
)
$groupMember = Get-ADGroupMember PU-UserCreate | Select-Object -ExpandProperty samaccountname
if ($groupmember -contains $User.identity.name.replace("domain\", "")) {
$true
}
else{
$false
}
}
after successfully logging in (due to membership with PU-access) users are assigned a role via other group memberships. None of this may be the “best” way to do it, but it works for me in my environment.
Also forgot to mention you need the ActiveDirectory module installed on the server hosting PU. If not you would need to do an ADSI search for the group members.